What is it?
HashiCorp vault is an open-source secrets management platform, which provides full lifecycle management of static and dynamic secrets.
Key management systems more broadly help reduce secret sprawl and storing sensitive information within code or in unencrypted files.
Clients (users, computers or apps) need access to secrets. In Vault, they all access the Vault API. Vault performs authentication for the clients, to Azure AD for example. Vault applies a policy for the client, e.g. what can this client access. Lastly Vault provides a logging mechanism to provide an audit trail. You can also store encryption keys or certificates in Vault.
Why use HashiCorp Vault?
Why use it over Azure Key Vault or AWS KMS?
- You can host Vault wherever you want — You are not tied to a particular platform, it is cloud agnostic. You could also host in a datacenter, your laptop, anywhere! Running on a local machine is also benefit for developers, there is no internet connection, account or cloud subscription required.
- Vault has the concept of ‘secrets engines’ making Vault extensible — It enables Vault to interface directly with physical systems, databases, HSMs, etc. But in addition to these physical systems, Vault can interact with more unique environments like AWS IAM, dynamic SQL user creation, etc. all while using the same read/write interface.
In Your First Secrets tutorial, all requests started with secret/. Try the following command which will result an…
3. Azure Key vault and Amazon KMS are managed services — you don’t have full control.
4. Vault is open source — twitchy auditors can look at the code and assess it.
5. You can use hardware security modules — tamper proof modules used to store keys, if it is tampered with the information can be destroyed.
6. Configuration management systems can be augmented using Vault — Puppet / Chef / Ansible have secrets management concepts, Vault can be used to augment those.
7. Vault can act as an identity broker — Your app on premise may need to access a datastore in AWS. The AWS identity is provided through IAM, however the on-premise app would know nothing about that. Vault can act as a translation broker to solve this scenario.
8. Azure Key vault can compliment HashiCorp Vault — Your master HashiCorp Vault key can be stored in Azure Key Vault using the key vault provider to make it more secure. Checkout the HashiCorp Vault on Azure link below for more details.
9. Dynamic Secrets. HashiCorp Vault can generate secrets on demand and manage them.
- Dynamically generate secrets stored in Vault.
- Lifecycle of the secret is managed by Vault
- Permissions that those credentials have are managed by Vault.
For example this could be an Azure service principal that needs to be renewed, Vault can do that automatically, avoiding expiring service principals, and the keys never need to be disclosed. They can also be time limited and auto-revoked.
Consider access to a MySQL database, users and roles need to be managed to grant access. Vault can manage these users and roles in a time limited fashion, generating them, and removing them not just from Vault, but also from the MySQL database. Vault would talk to the MySQL database using an account setup with permissions able to create users and roles and revoke them.
When coupled with the concept of secrets engines, secrets can be managed from one place (Vault) across multiple services (e.g. Azure, AWS, MySQL, Certificates etc).
Reasons not to use HashiCorp Vault
- Vault requires infrastructure to run vault on, in production this will have to be managed, secured, fed and watered. More security conscious companies may see this as a benefit though as the vault remains under company control. However, if this is seen as a blocker, the cloud version which is effectively a managed vault offering on the HashiCorp platform, is now in public beta which will eliminate this problem.
- Learning curve / Training — Vault is relatively simple to learn the basics, and there is some excellent training on the HashiCorp site, however if your teams are already familiar with Azure Key Vault of AWS KMS, this is ANOTHER thing to learn!
HashiCorp Vault takes secret management to the next level, providing many benefits and features above and beyond those provided by Azure Key Vault or AWS KMS.
If you have any further insight on pros / cons around using HashiCorp Vault I would love to hear from you!
Check out the links below for more information.
How Does Vault Compare to Cloud Vendors' KMS and Secrets Management Services?
Learn about several specific advantages HashiCorp Vault has over cloud vendors' KMS and secrets management services…
HashiCorp Vault on Azure
Working with Microsoft, HashiCorp launched Vault with a number of features to make secret management easier to automate…
If you have access to Pluralsight, the course by Ned Bellavance is excellent!